My. Proxy and the Globus Toolkit Agenda: 10: 00 -10: 30 -10: 45 -11: 00 -11: 15 -11: 30 My. Proxy Introduction and Update (Jim Basney, NCSA) My. Proxy and NVO (Mike Freemon, NCSA) My. Proxy and Fusion. Grid (Mary Thompson, LBL) My. Proxy and EGEE (Ludek Matyska, CESNET) Panel Discussion See http: //myproxy. ncsa. uiuc. edu/talks. html for slides. Grid. World 2006 http: //myproxy. ncsa. uiuc. edu/ 1
My. Proxy Introduction and Update Jim Basney Senior Research Scientist NCSA jbasney@ncsa. uiuc. edu
What is My. Proxy? l An Online Certificate Authority u u l An Online Credential Repository u u l Issues short-lived X. 509 Proxy Certificates Long-lived private keys never leave the server Supporting multiple authentication methods u l Issues short-lived X. 509 End Entity Certificates Avoid need for long-lived user keys Passphrase, Certificate, PAM, SASL, Kerberos, Pubcookie, VOMS Open Source Software u u u Included in Globus Toolkit, UGE, NMI, VDT, and Co. G Kits C, Java, Python, and Perl clients available Contributions from EDG, UVA, LBL, and others Grid. World 2006 http: //myproxy. ncsa. uiuc. edu/ 3
My. Proxy Logon l Authenticate to retrieve PKI credentials u u u l My. Proxy maintains the user’s PKI context u u u l End Entity or Proxy Certificate Trusted CA Certificates Certificate Revocation Lists (CRLs) Users don’t need to manage long-lived credentials Enables server-side monitoring and policy enforcement (ex. passphrase quality checks) CA certificates & CRLs updated automatically at login My. Proxy integrates with existing authentication systems u Providing a gateway to grid authentication Grid. World 2006 http: //myproxy. ncsa. uiuc. edu/ 4
My. Proxy Authentication l l Key Passphrase X. 509 Certificate u u l Pluggable Authentication Modules (PAM) u u u l Kerberos ticket (SASL GSSAPI) Pubcookie u l Kerberos password One Time Password (OTP) Lightweight Directory Access Protocol (LDAP) password Simple Authentication and Security Layer (SASL) u l Control credential storage, retrieval, and renewal Supports trusted authentication and renewal services Web Single Sign-On Virtual Organization Membership Service (VOMS) u Attribute-based access control Grid. World 2006 http: //myproxy. ncsa. uiuc. edu/ 5
My. Proxy Deployment Options l Users already have PKI credentials u My. Proxy repository can help users manage the credentials by: l l Users have site logons but no PKI credentials u l Securing private keys in a professionally managed server Obtaining credentials when/where needed Using credentials with My. Proxy-enabled applications My. Proxy CA can provide the bridge Users need to register to obtain PKI credentials u User registration portals provide a My. Proxy interface l l Grid. World 2006 Grid Account Management Architecture (GAMA) http: //grid-devel. sdsc. edu/gama Portal-Based User Registration Service (PURSE) http: //www. grids-center. org/solutions/purse http: //myproxy. ncsa. uiuc. edu/ 6
My. Proxy CA Configuration l Authentication options: u l PAM, SASL/Kerberos, SSL/TLS Username to certificate subject mapping u Via “gridmap” file, LDAP query, or call-out l Certificate extension config file and call-out l Maximum certificate lifetime policy l Works well with Globus Simple CA Grid. World 2006 http: //myproxy. ncsa. uiuc. edu/ 7
My. Proxy Repository Policies l Who can store credentials? u u l Restrict to specific users or CAs Restrict to administrator only Who can retrieve credentials? u l Allow anyone with correct password server-wide u Allow only trusted services / portals and per-credential Maximum lifetime of retrieved credentials Grid. World 2006 http: //myproxy. ncsa. uiuc. edu/ 8
My. Proxy-enabled Applications l Co. G Kit APIs (www. cogkit. org) l Grid portal toolkits u (www. gridsphere. org) u Grid. Port (gridport. net) u l Grid. Sphere OGCE (www. collab-ogce. org) Authentication modules u JAAS (myproxy. ncsa. uiuc. edu/jaas) u Apache (myproxy. ncsa. uiuc. edu/apache) u Pubcookie (myproxy. ncsa. uiuc. edu/pubcookie) Grid. World 2006 http: //myproxy. ncsa. uiuc. edu/ 9
My. Proxy Documentation Grid. World 2006 http: //myproxy. ncsa. uiuc. edu/ 10
My. Proxy Support Grid. World 2006 http: //myproxy. ncsa. uiuc. edu/ 11
My. Proxy Protocols l Presenting the following scenarios: u Obtain credentials via My. Proxy CA u Store credentials in My. Proxy repository u User Registration Portals u Web Portal Authentication and Delegation u Web Single Sign-On (SSO) u Credential Renewal u Password-based Delegation Grid. World 2006 http: //myproxy. ncsa. uiuc. edu/ 12
My. Proxy CA with PAM DN lookup X. 509 Grid Service LDAP Server password Client keypair TLS handshake certificate request certificate password gridmap My. Proxy Server CA key P A M password RADIUS Server TGT Kerberos KDC Grid. World 2006 http: //myproxy. ncsa. uiuc. edu/ 13
My. Proxy CA with Kerberos DN lookup Grid Service X. 509 S Client A keypair S L TLS handshake SASL/GSSAPI/Kerberos certificate request certificate LDAP Server S A S L gridmap My. Proxy Server CA key ticket Kerberos KDC Grid. World 2006 http: //myproxy. ncsa. uiuc. edu/ 14
My. Proxy Put Client certificate private key TLS handshake username certificate request proxy certificate policy password chain My. Proxy Server keypair cert chain private key Grid. World 2006 http: //myproxy. ncsa. uiuc. edu/ 15
My. Proxy Get Client cert chain TLS handshake username certificate request proxy certificate chain password My. Proxy Server private key cert chain X. 509 Grid. World 2006 private key Grid Service http: //myproxy. ncsa. uiuc. edu/ 16
User Registration Portal Certificate Authority Browser TLS handshake username password Registration Portal certificate User DB Client cert chain TLS handshake username certificate request proxy certificate chain password My. Proxy Server certificate private key username private key certificate X. 509 Grid. World 2006 private key Grid Service http: //myproxy. ncsa. uiuc. edu/ 17
Password-based Portal Auth X. 509 cert request username Browser TLS handshake password username Portal password cert key X. 509 Grid. World 2006 My. Proxy http: //myproxy. ncsa. uiuc. edu/ Grid Service 18
Trusted Portal Browser TLS handshake password username Portal X. 509 cert request username cert User DB key X. 509 Grid. World 2006 My. Proxy http: //myproxy. ncsa. uiuc. edu/ Grid Service 19
My. Proxy and Web SSO PURSE password cookie Browser Pubcookie Login Server cert password My. Proxy cookie Portal A X. 509 cert Grid Service cookie X. 509 cookie Portal B Grid. World 2006 cert http: //myproxy. ncsa. uiuc. edu/ 20
Password-based Renewal job Condor-G proxy password proxy job GRAM Gatekeeper proxy Client proxy Job proxy password My. Proxy proxy Grid. World 2006 http: //myproxy. ncsa. uiuc. edu/ 21
Certificate-based Renewal Workload Management Service proxy Renewal Service job cert Client key Condor-G proxy policy job GRAM Gatekeeper proxy Job proxy X. 509 proxy My. Proxy proxy Grid. World 2006 http: //myproxy. ncsa. uiuc. edu/ 22
Password-based Delegation Delegator certificate Delegatee username passwordrandom private key certificate private key certificate username certificate request password TLS handshake random My. Proxy certificate username certificate request passwordrandom certificate handshake TLS private key Grid. World 2006 http: //myproxy. ncsa. uiuc. edu/ 23
SSO for Browser and Application Browser Authenticate passwordrandom Portal cert JWS cert passwordrandom Application cert X. 509 Grid. World 2006 passwordrandom My. Proxy Server Grid Service http: //myproxy. ncsa. uiuc. edu/ 24
Conclusion l My. Proxy provides a versatile solution for credential management on the grid u l Demonstrated use in many authentication, delegation, and single sign-on scenarios My. Proxy provides practical authentication solutions u u Minimize changes to existing software and protocols Leverage community standards l l GSI, PAM, SASL, Kerberos, LDAP, Pubcookie Active My. Proxy open source community u u New capabilities can be deployed incrementally We all benefit from each other’s work Grid. World 2006 http: //myproxy. ncsa. uiuc. edu/ 25
My. Proxy and the Globus Toolkit Agenda: 10: 00 -10: 30 -10: 45 -11: 00 -11: 15 -11: 30 My. Proxy Introduction and Update (Jim Basney, NCSA) My. Proxy and NVO (Mike Freemon, NCSA) My. Proxy and Fusion. Grid (Mary Thompson, LBL) My. Proxy and EGEE (Ludek Matyska, CESNET) Panel Discussion See http: //myproxy. ncsa. uiuc. edu/talks. html for slides. Grid. World 2006 http: //myproxy. ncsa. uiuc. edu/ 26
Скачать презентацию My Proxy and the Globus Toolkit Agenda 10
18c82688919128dda9ff8a3db793d39d.ppt